Crash with magic signature: autofill::`anonymous namespace'::GetServerId<autofill::AutofillProfile> also crashing in the same file 'autofill_wallet_metadata_syncable_service.cc' is #1 browser crash on Windows canary(56.0.2896.0) and the magic signature from C#0 is ranked #2 browser crash.

Stack trace of 412f4cbb00000000 having magic signature 'autofill::`anonymous namespace'::GetServerId<autofill::AutofillProfile>'

Thread 9 CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000350 ] MAGIC SIGNATURE THREAD
0x00007fffa0a58b9c	(chrome.dll -autofill_wallet_metadata_syncable_service.cc:203 )	autofill::`anonymous namespace'::GetServerId<autofill::AutofillProfile>
0x00007fffa0a57ac6	(chrome.dll -autofill_wallet_metadata_syncable_service.cc:411 )	autofill::AutofillWalletMetadataSyncableService::GetLocalData(base::ScopedPtrHashMap<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::unique_ptr<autofill::AutofillProfile,std::default_delete<autofill::AutofillProfile> > > *,base::ScopedPtrHashMap<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::unique_ptr<autofill::CreditCard,std::default_delete<autofill::CreditCard> > > *)
0x00007fffa0a58073	(chrome.dll -autofill_wallet_metadata_syncable_service.cc:453 )	autofill::AutofillWalletMetadataSyncableService::MergeData(std::vector<syncer::SyncData,std::allocator<syncer::SyncData> > const &)
0x00007fffa0a5725f	(chrome.dll -autofill_wallet_metadata_syncable_service.cc:228 )	autofill::AutofillWalletMetadataSyncableService::MergeDataAndStartSyncing(syncer::ModelType,std::vector<syncer::SyncData,std::allocator<syncer::SyncData> > const &,std::unique_ptr<syncer::SyncChangeProcessor,std::default_delete<syncer::SyncChangeProcessor> >,std::unique_ptr<syncer::SyncErrorFactory,std::default_delete<syncer::SyncErrorFactory> >)
0x00007fffa0981507	(chrome.dll -shared_change_processor.cc:121 )	syncer::SharedChangeProcessor::StartAssociation(base::Callback<void ,1,1>,syncer::SyncClient * const,syncer::UserShare *,std::unique_ptr<syncer::DataTypeErrorHandler,std::default_delete<syncer::DataTypeErrorHandler> >)
0x00007fffa097cada	(chrome.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( syncer::SharedChangeProcessor::*)(base::Callback<void ,1,1>,syncer::SyncClient *,syncer::UserShare *,std::unique_ptr<syncer::DataTypeErrorHandler,std::default_delete<syncer::DataTypeErrorHandler> >),scoped_refptr<syncer::SharedChangeProcessor>,base::Callback<void ,1,1>,syncer::SyncClient *,syncer::UserShare *,base::internal::PassedWrapper<std::unique_ptr<syncer::DataTypeErrorHandler,std::default_delete<syncer::DataTypeErrorHandler> > > >,void >::Run(base::internal::BindStateBase *)
0x00007fff9f49a3d9	(chrome.dll -task_annotator.cc:52 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007fff9f435feb	(chrome.dll -message_loop.cc:413 )	base::MessageLoop::RunTask(base::PendingTask *)
0x00007fff9f436c04	(chrome.dll -message_loop.cc:515 )	base::MessageLoop::DoWork()
0x00007fff9f49bc19	(chrome.dll -message_pump_default.cc:35 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x00007fff9f47efc2	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x00007fff9ee50e3d	(chrome.dll -browser_thread_impl.cc:221 )	content::BrowserThreadImpl::DBThreadRun(base::RunLoop *)
0x00007fff9ee51344	(chrome.dll -browser_thread_impl.cc:278 )	content::BrowserThreadImpl::Run(base::RunLoop *)
0x00007fff9f45e7a0	(chrome.dll -thread.cc:333 )	base::Thread::ThreadMain()
0x00007fff9f42a318	(chrome.dll -platform_thread_win.cc:84 )	base::`anonymous namespace'::ThreadFunc
0x00007fffceb38363	(KERNEL32.DLL + 0x00008363 )	BaseThreadInitThunk
0x00007fffcee95e90	(ntdll.dll + 0x00065e90 )	RtlUserThreadStart

Link to the list of the builds:
==============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27autofill%3A%3A%60anonymous%20namespace%5C%27%3A%3AGetServerId%3Cautofill%3A%3AAutofillProfile%3E%27%20AND%20product.name%3D%27Chrome%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Workaround if you're blocked: Start Canary with a new profile (e.g. canary --user-data-dir=C:\temp3) so that you don't have any stored credit cards.

 Issue 657873  has been merged into this issue.

Underfined parameter evaluation at https://cs.chromium.org/chromium/src/components/autofill/core/browser/webdata/autofill_wallet_metadata_syncable_service.cc?rcl=1476847656&l=411

unique_ptr dereference and std::move in the same parameter list.

Fix is at https://chromiumcodereview.appspot.com/2437123002

Avi, I've picked this up.

rogerm@, thank you for the quick fix. Could you please merge this fix to 2896 branch once it has been landed? We are planning to create a back-up build for tomorrow's dev release just in case tonight's canary is unstable.

Repro Steps:
=============
Just update Chrome to latest Canary with user data contains 'Autofill' information. Then the chrome is crashing each time we launch.

Thanks again!

 Issue 657909  has been merged into this issue.

Issue 657907 has been merged into this issue.

once the panic is over it would be good to see some sort of analysis/postmortem as to why this was not detected in our test coverage, and how we can improve this in the future.

Issue 657928 has been merged into this issue.

Issue 657801 has been merged into this issue.

Unrestricting view.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/884c98b01d2daebaa2f519300d3f64b2850f31fe

commit 884c98b01d2daebaa2f519300d3f64b2850f31fe
Author: rogerm <rogerm@chromium.org>
Date: Thu Oct 20 19:03:13 2016

Dereference and std::move in same param list == top crasher

Fix a top crasher (2016/10/20) caused by defer of a unique_ptr and a std::move of the same unique_ptr in the same parameter list. The order of evalulation is unspecified, so this is unsafe.

BUG= 657778 
R=ajha@chromium.org, avi@chromium.org

Review-Url: https://chromiumcodereview.appspot.com/2437123002
Cr-Commit-Position: refs/heads/master@{#426553}

[modify] https://crrev.com/884c98b01d2daebaa2f519300d3f64b2850f31fe/components/autofill/core/browser/webdata/autofill_wallet_metadata_syncable_service.cc

Your change meets the bar and is auto-approved for M55 (branch: 2883)

Sorry, my bad.  I need to merge to 2896 branch (see comment #7 above), and I thought it was m55.  It is actually m56.  So I won't merge this to m55.

Reg c#18: Yes please. More over you do not need any merge approval for 2896 branch, since it is yet to be branched officially.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99267e28b9e6977de841fef3d3ee62f8d028718a

commit 99267e28b9e6977de841fef3d3ee62f8d028718a
Author: Roger Tawa <rogerta@google.com>
Date: Thu Oct 20 19:36:37 2016

Dereference and std::move in same param list == top crasher

Fix a top crasher (2016/10/20) caused by defer of a unique_ptr and a std::move of the same unique_ptr in the same parameter list. The order of evalulation is unspecified, so this is unsafe.

BUG= 657778 
R=ajha@chromium.org, avi@chromium.org

Review-Url: https://chromiumcodereview.appspot.com/2437123002
Cr-Commit-Position: refs/heads/master@{#426553}
(cherry picked from commit 884c98b01d2daebaa2f519300d3f64b2850f31fe)

Review URL: https://codereview.chromium.org/2438803002 .

Cr-Commit-Position: refs/branch-heads/2896@{#3}
Cr-Branched-From: eb410d934c054b358be84d4bc63724e99cefa7c8-refs/heads/master@{#426358}

[modify] https://crrev.com/99267e28b9e6977de841fef3d3ee62f8d028718a/components/autofill/core/browser/webdata/autofill_wallet_metadata_syncable_service.cc

 Issue 657973  has been merged into this issue.

Users experienced this crash on the following builds:

Win Canary 56.0.2896.0 -  1612.76 CPM, 5884 reports, 3722 clients (signature autofill::`anonymous namespace'::GetServerId<autofill::AutofillProfile>)
Win Canary 56.0.2896.0 -  114.84 CPM, 419 reports, 260 clients (signature base::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Just to update:

This is the top#1 browser crash on Android canary #56.0.2896.0 with 74 instances from 45 unique client Ids

Issue 657942 has been merged into this issue.

No crashes seen on Windows latest canary(56.0.2896.3) live for 10 hours now.

Adding the verified label therefore. Please close the issue if there is no further work to be done here.

56.0.2896.0 canary (64-bit) displaying "Google Chrome is up to date" here (then usual crash after few secs).

Deleted: debug.log 579 bytes

debug.log 579 bytes View Download

@leo I'm assuming they are waiting for 56.0.2897.x

@leo

The fix landed on between 56.0.2896.0 and 56.0.2896.3

So, it's expected that you'll still see the crash if you haven't updated.

@rogerm I have updated even with the chromesetup.exe and canary is still on 56.0.2896.0

It looks like win64 canary is running slightly behind.

http://omahaproxy.appspot.com

manoranjanr@ or ajha@: can you provide some insight as to the ETA of this rolling out to the various canaries?

@Rogerm the update just rolled out. Thanks you.

Made it to 56.0.2896.3 canary (64-bit)! Few restarts later, no more crashes.
chrome://help/ About 'Checking for updates…' then 'An error occurred while checking for updates: The updater is currently running. Refresh in a minute to check again.' No debug.log's created.

Confirmed Now working ,Thanks you everyone
Version 56.0.2896.3 canary (64-bit)

The fix has been successfully rolled out through Chrome#56.0.2896.3.

Thank you all for confirming the fix!